All Products
Search
Document Center

ActionTrail:Query AccessKey logs

Last Updated:Jun 16, 2026

You can use the ActionTrail console to query AccessKey usage records, including the Alibaba Cloud services accessed, associated IP addresses, and resources, helping you monitor account security and detect potential threats.

Prerequisites

Obtain the AccessKey ID you want to query. For more information, see Obtain an AccessKey.

ActionTrail retains events from the past 90 days by default. To access older records, create a trail to deliver events to SLS or OSS. For more information, see Create a single-account trail.

Procedure

  1. Log on to the ActionTrail console.

  2. In the navigation pane on the left, choose AccessKey Pair Audit > AccessKey Event Query.

  3. On the AccessKey Event Query page, enter the AccessKey ID and click the 查询按钮 icon.

  4. In the Basic Information section, view details such as AccessKey ID, Account ID (Alibaba Cloud account ID), Username, RAM User ID, Last Accessed At, and Service Last Accessed.

  5. In the Alibaba Cloud Service section, view the list of Alibaba Cloud services accessed by this AccessKey, along with the Event List, IP Address List, and Resource List.

    • Alibaba Cloud service list

      In the Alibaba Cloud Service section, view the Cloud Service and Last Accessed At.

    • Event list

      Click Event List in the Actions column for a specific Alibaba Cloud service to view details such as Event Name, Last Called At, Region, and event details.

      Note
    • IP list

      Click IP Address List in the Actions column for a specific Alibaba Cloud service to query the IP, Last Accessed At, Region, and IP address details.

    • Resource list

      Click Resource List in the Actions column for a specific Alibaba Cloud service to query the Resource Type, Resource Name, Last Accessed At, Region, and resource details.

      For a list of resource types supported by AccessKey Audit, see Resource types.

AK leak investigation and response

If an AccessKey is leaked, use AccessKey Audit to investigate abnormal operations during the leak period and mitigate damage.

Critical high-risk event types

In the event list, focus on these high-risk operation events:

Event name

Risk description

CreateInstance

An attacker creates ECS instances for cryptomining or proxy setup.

AuthorizeSecurityGroup

An attacker opens vulnerable ports (such as 22 or 3389), exposing internal resources.

CreateAccessKey

An attacker creates a new AccessKey for an existing RAM user to maintain access.

CreatePolicy / AttachPolicyToUser

An attacker escalates privileges by granting high-risk permissions such as AdministratorAccess to themselves or newly created users.

CreateUser

An attacker creates a backdoor RAM user to establish persistent access.

Response steps after detecting abnormal operations

  1. Disable and delete the leaked AccessKey. Disable the AccessKey in the RAM console. After confirming that your business is unaffected, delete it. Also rotate to a new AccessKey for the affected user.

  2. Check for unauthorized AccessKeys or RAM users. Search the event list for CreateAccessKey and CreateUser events. Delete all unauthorized AccessKeys and RAM users.

  3. Roll back abnormal resources. Identify and release resources created by the attacker, such as ECS instances and OSS buckets. Revoke unauthorized security group rules and access policy changes.

  4. Investigate suspicious IP addresses. In the IP list, identify non-internal IP addresses to locate the attack source and assess impact scope.

Related operations